also prevent empty filenames

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>
cs3org · Jun 25, 2024 · 8e8efc8 · 8e8efc8
1 parent 24ca4f8
commit 8e8efc8
Show file tree

Hide file tree

Showing 6 changed files with 14 additions and 10 deletions.
diff --git a/internal/http/services/owncloud/ocdav/copy.go b/internal/http/services/owncloud/ocdav/copy.go
@@ -88,14 +88,14 @@ func (s *svc) handlePathCopy(w http.ResponseWriter, r *http.Request, ns string)
 		return
 	}
 
-	if err := ValidateName(path.Base(src), s.nameValidators); err != nil {
+	if err := ValidateName(filename(src), s.nameValidators); err != nil {
 		w.WriteHeader(http.StatusBadRequest)
 		b, err := errors.Marshal(http.StatusBadRequest, "source failed naming rules", "")
 		errors.HandleWebdavError(appctx.GetLogger(ctx), w, b, err)
 		return
 	}
 
-	if err := ValidateDestination(path.Base(dst), s.nameValidators); err != nil {
+	if err := ValidateDestination(filename(dst), s.nameValidators); err != nil {
 		w.WriteHeader(http.StatusBadRequest)
 		b, err := errors.Marshal(http.StatusBadRequest, "destination failed naming rules", "")
 		errors.HandleWebdavError(appctx.GetLogger(ctx), w, b, err)

diff --git a/internal/http/services/owncloud/ocdav/mkcol.go b/internal/http/services/owncloud/ocdav/mkcol.go
@@ -39,10 +39,10 @@ func (s *svc) handlePathMkcol(w http.ResponseWriter, r *http.Request, ns string)
 	ctx, span := appctx.GetTracerProvider(r.Context()).Tracer(tracerName).Start(r.Context(), "mkcol")
 	defer span.End()
 
-	fn := path.Join(ns, r.URL.Path)
-	if err := ValidateName(path.Base(fn), s.nameValidators); err != nil {
+	if err := ValidateName(filename(r.URL.Path), s.nameValidators); err != nil {
 		return http.StatusBadRequest, err
 	}
+	fn := path.Join(ns, r.URL.Path)
 	sublog := appctx.GetLogger(ctx).With().Str("path", fn).Logger()
 
 	client, err := s.gatewaySelector.Next()

diff --git a/internal/http/services/owncloud/ocdav/move.go b/internal/http/services/owncloud/ocdav/move.go
@@ -60,14 +60,14 @@ func (s *svc) handlePathMove(w http.ResponseWriter, r *http.Request, ns string)
 		return
 	}
 
-	if err := ValidateName(path.Base(srcPath), s.nameValidators); err != nil {
+	if err := ValidateName(filename(srcPath), s.nameValidators); err != nil {
 		w.WriteHeader(http.StatusBadRequest)
 		b, err := errors.Marshal(http.StatusBadRequest, "source failed naming rules", "")
 		errors.HandleWebdavError(appctx.GetLogger(ctx), w, b, err)
 		return
 	}
 
-	if err := ValidateDestination(path.Base(dstPath), s.nameValidators); err != nil {
+	if err := ValidateDestination(filename(dstPath), s.nameValidators); err != nil {
 		w.WriteHeader(http.StatusBadRequest)
 		b, err := errors.Marshal(http.StatusBadRequest, "destination naming rules", "")
 		errors.HandleWebdavError(appctx.GetLogger(ctx), w, b, err)

diff --git a/internal/http/services/owncloud/ocdav/ocdav.go b/internal/http/services/owncloud/ocdav/ocdav.go
@@ -394,3 +394,8 @@ func (s *svc) referenceIsChildOf(ctx context.Context, selector pool.Selectable[g
 	pp := path.Join(parentPathRes.Path, parent.Path) + "/"
 	return strings.HasPrefix(cp, pp), nil
 }
+
+// filename returns the base filename from a path and replaces any slashes with an empty string
+func filename(p string) string {
+	return strings.Trim(path.Base(p), "/")
+}
diff --git a/internal/http/services/owncloud/ocdav/put.go b/internal/http/services/owncloud/ocdav/put.go
@@ -113,10 +113,9 @@ func (s *svc) handlePathPut(w http.ResponseWriter, r *http.Request, ns string) {
 	defer span.End()
 
 	fn := path.Join(ns, r.URL.Path)
-
 	sublog := appctx.GetLogger(ctx).With().Str("path", fn).Logger()
 
-	if err := ValidateName(filepath.Base(fn), s.nameValidators); err != nil {
+	if err := ValidateName(filename(r.URL.Path), s.nameValidators); err != nil {
 		w.WriteHeader(http.StatusBadRequest)
 		b, err := errors.Marshal(http.StatusBadRequest, err.Error(), "")
 		errors.HandleWebdavError(&sublog, w, b, err)
@@ -412,7 +411,7 @@ func (s *svc) handleSpacesPut(w http.ResponseWriter, r *http.Request, spaceID st
 		return
 	}
 
-	if err := ValidateName(filepath.Base(ref.Path), s.nameValidators); err != nil {
+	if err := ValidateName(filename(ref.Path), s.nameValidators); err != nil {
 		w.WriteHeader(http.StatusBadRequest)
 		b, err := errors.Marshal(http.StatusBadRequest, err.Error(), "")
 		errors.HandleWebdavError(&sublog, w, b, err)

diff --git a/internal/http/services/owncloud/ocdav/tus.go b/internal/http/services/owncloud/ocdav/tus.go
@@ -106,7 +106,7 @@ func (s *svc) handleTusPost(ctx context.Context, w http.ResponseWriter, r *http.
 		w.WriteHeader(http.StatusPreconditionFailed)
 		return
 	}
-	if err := ValidateName(path.Base(meta["filename"]), s.nameValidators); err != nil {
+	if err := ValidateName(filename(meta["filename"]), s.nameValidators); err != nil {
 		w.WriteHeader(http.StatusPreconditionFailed)
 		return
 	}